Skip navigation

Administration - Using the Admin Panel and Changing Settings


Customize your Duo experience by changing global settings in the Duo Admin Panel.

To access the Admin Panel, navigate to , enter your administrator account email address and password, and click Log In. After your login is accepted, you then must authenticate using a second factor. You must activate your administrator account for Duo Mobile separately from your user account to use Duo's push authentication See Managing Administrative Users for instructions.

Changing Administrative Settings

Administrators may use the Settings page in the Duo Admin Panel to customize account branding and second factor features. To access these features, log in to the Duo Admin Panel and click Settings in the left sidebar. Be sure to click the Save Changes button at the bottom of the page after updating any settings.

Role required: Owner or Administrator (Billing role may not access the Settings page, other roles may view but not modify settings).

General Look & Feel Settings

At the top of the Settings page you can change your Account name, Region, Language, Preferred timezone, or Logo. The Region and Preferred timezone selections apply to all dates and timestamps in the Duo Admin Panel and logs.

Change the Language setting from English to display the browser-based Duo Prompt in French or German to your end users. This setting is global; users see the selected language in the authentication prompt no matter their actual location.

The Account Name and Logo specified here will be displayed in your Duo Admin Panel, and seen by your users during enrollment and authentication via browser, as well as in the Duo Mobile app. The logo image must be in PNG format and not exceed 500 by 500 pixels and 200 KB. We recommend a 304 by 304 pixel logo image with a transparent background for the best results.

As an example, if you upload a company logo and change the account name to "Acme Corp." like so:

General Settings

The account appears in Duo Mobile as follows:

Duo Mobile Accounts Screen

The company logo you update here is also shown in the Duo Prompt.

Authentication prompt with Duo branding

The Duo authentication prompt displays the text "Powered by Duo Security" by default. To remove this statement from your authentication prompt, clear the Duo branding General settings option.

Restricting Authentication Methods

There are many ways that users can receive their second authentication factor when logging in: Their Duo Mobile app can be pinged for one-tap authentication with Duo Push, they can be sent a passcode via SMS, they can receive an automated voice call, and so on (see our detailed explanation of all Authentication Methods).

In plans that include Duo's policy engine, like the Duo Access or Duo Beyond plans, use the policy editor to change the "Authentication Methods" policy setting globally or for specific applications and users. See the Policy & Control documentation for more information.

Administrators of Duo MFA plans without the policy engine can restrict these options by disabling unwanted methods in the "Authentication Methods" section of the Settings page.

For example, you can uncheck the phone callback authentication method.

Authentication method settings

Phone call no longer appears as an option in the authentication prompt. If all methods are deselected then only hardware token passcodes or bypass codes may be used authenticate.

Authentication prompt without phone call option

Note: Even if Duo Push is disabled, users will still be able to use Duo Mobile to generate a one-time passcode (much as they might with a hardware token). You can prevent users from using the app to generate one-time passcodes by unchecking the Duo Mobile passcodes authentication method.

U2F Tokens

Universal 2nd Factor (or U2F) is an authentication standard from the FIDO alliance. All Duo editions include U2F. U2F tokens require Chrome 41 and later or Opera 40 and later, and are compatible with Duo's browser-based applications that feature inline enrollment and authentication prompt.

U2F tokens can't be imported or assigned to users from the Admin Panel; users must self-enroll the U2F token via the Duo enrollment prompt or device management portal. Once a U2F token is enrolled in Duo, the user simply taps it at the Duo Prompt to complete login.

Duo MFA customers who see the top level Policy navigation item in their Admin Panel don't need to allow U2F on the Settings page; it's already allowed. If you're on Duo's Duo Access or Duo Beyond plans, U2F usage is also already allowed. Use the policy editor to enable U2F Tokens in the "Authentication Methods" policy setting globally (the only option for MFA) or for specific applications and users. See the Policy & Control documentation for more information.

Duo MFA customers who don't see the the top level Policy navigation item in their Admin Panel (typically a customer who signed up for Duo before April 2015) must first allow U2F token usage to make U2F an available authentication method for users. While on the Settings page, scroll down to the "Authentication Methods" section and check the box next to the Allow the use of U2F tokens under the "U2F Tokens" option shown in the "Authentication Methods" section. Scroll down to the bottom of the page and click the Save Changes button when done.

Allow U2F Tokens

Enabling the U2F token labs feature adds "U2F token" to the list of enabled Authentication Methods and enables U2F by default.

Enable U2F as an Authentication Method

If you don't want your users enrolling U2F tokens yet, uncheck the box next to U2F token and scroll down to the bottom of the "Settings" page to click the Save Changes button.

Phone Call Settings

In the "Phone Calls" section of the Settings page you can customize your users' experience of callback-based second-factor authentication. For example, you can set the "Outgoing caller ID" so that these automated calls appear to come from a specific number within your organization (such as main reception or tech support).

By default users can press any key to accept authentication. You can customize the authentication process in the "Phone callback Keys" section, so that users can easily authenticate a secondary authentication request or report fraud in a single step.

Phone call settings

SMS Passcodes

In the "SMS Passcodes" section of the Settings page, admins can customize the message sent with SMS passcodes, as well as the number of passcodes sent in each batch (up to 10). Sending multiple passcodes in one SMS message is cost-effective for both users and organizations. For additional security, SMS passcodes can be set to expire after a set time. A new batch can be automatically sent after the last passcode is used, so users are never without an authentication passcode.

SMS passcodes settings

Lockout and Fraud

In the "Lockout and Fraud" section of this page, you can adjust the number of consecutive failed authentication attempts allowed before the user's account is locked out to prevent brute force attacks. The user lockout counter increments after each failed authentication attempt (such as push timeout or incorrect passcode entered). The default lockout threshold is ten failed attempts.

You can also specify who to email when a lockout is triggered with the "Alert email" setting. Notify all admins sends an email to all Duo administrators at each user lockout. Use the Notify a specific email address field to limit which Duo administrators receive lockout notifications or to specify a distribution list. Lockout events trigger no emails with the Do not notify option enabled.

Enabling the "Anomaly Detection" setting provides enhanced protection from fraudulent authentication requests for Duo Mobile users. Check the box next to Block anomalous Duo Push attempts to activate this option. Anomaly detection prevents Duo Mobile from receiving multiple push requests per user within a short period of time. Users will need to wait one minute before requesting another Duo Push. Authentication Log entries alert administrators to the behavior. Customers who have created automation leveraging two-factor authentication should add delays to their process to avoid triggering anomaly detection.

See Raising the Bar - Anomaly Detection in the Duo Blog for more information about anomalous push detection. If you are unsure of whether to enable this feature, please contact support.

Lockout and fraud settings

If "Auto-lockout expiration" is enabled, a locked-out Duo user is automatically moved back to "Active" status after the specified amount of time. Otherwise, locked-out users may not log in until you manually change that user's status from "Locked Out" to "Active" or "Bypass".

  1. Log in to the Duo Admin Panel and click Users in the left sidebar.

  2. Select a user by clicking his or her username. You will see the user's current status in the "Status" section of the user properties page:

    Locked out user

  3. Re-enable the user by selecting the desired status, then scroll down and click the Save Changes button.

Telephony Credits

Duo supports telephony-based authentication via phone calls and SMS messages. Each authentication call or SMS message is debited from your telephony credit balance. Paid accounts are issued credits monthly, and may purchase extra telephony credits as needed. Duo Free accounts do not receive monthly credit refills, but may purchase additional telephony credits.

If you ever exhaust your telephony credit balance, your users will not be able to receive authentication phone calls or text messages. To avoid this, Duo automatically notifies all account administrators when the credit balance falls below a pre-determined percentage of your total credits.

You can configure the credit balance email alert in the "Telephony Credits" section of the settings page. Change the "Low-credit alerts" option to Alert when account has fewer than _ credits and enter a number in the blank to change when the alert gets triggered. You can also change the low-credit alert email recipient by entering an email addresses in the Low credit alert email field. If no email is specified then all Duo administrators receive the low-credit alert email.

The rate card shows how many credits each SMS message or telephone call consumes per country. By default, Duo restricts the maximum telephony credits used per transaction to 20 credits. If your users are in locations with more expensive telephony rates you can increase the 20 credit maximum. Conversely, if you know that telephony rates for your users should never exceed a certain amount you may reduce the maximum allowed credits below 20. To raise or lower the maximum credit usage per user authentication, enter the desired number in the Max credits per action box.

Telephony credits settings

Inactive User Expiration

Since Duo is licensed on a per-user basis, you are charged based on the number of users you have in Duo, regardless of their activity. Admins may choose to automatically remove inactive users from Duo after a set period. To do this, click the radio button next to Expire users after a set period of inactivity and enter the maximum number of days an inactive user will be permitted to remain in Duo. The number of inactive days is calculated from the last successful Duo authentication. Failed authentication attempts do not reset the inactivity counter.

Inactive user expiration settings

If this option is enabled, users who do not authenticate for the specified number of days are put into "pending deletion" status. This also applies to existing users who have not authenticated within the newly configured inactivity period. After seven days in "pending deletion" status, the user is permanently deleted from Duo. If the user successfully authenticates to Duo during the seven day "pending deletion" period, then the user is restored to normal active status in Duo and the inactivity timer is reset.

For example, you may have users who were enrolled in Duo 100 days ago but some have not authenticated since shortly after enrolling. If you enable inactive user expiration and set the maximum number of days to 90, then users who last authenticated more than 90 days ago are marked as "pending deletion" and are deleted seven days later if they do not authenticate again. Going forward, any user whose inactivity counter reaches 90 days will also be put into "pending deletion" status for seven days, and then deleted if they do not authenticate again during the seven day "pending deletion" waiting period.

A user deleted by the system for inactivity will need to re-enroll in Duo in order to authenticate again.

Duo Mobile Restore

Enable Duo Restore if you'd like to give your end users the ability to backup Duo account information from the Duo Mobile app to Google Drive (Android devices) or iCloud (iOS devices). They can use this saved backup information to recover those Duo accounts to a replacement device of the same platform as the original backup.

Duo Restore differs from the self-service portal feature as follows:

  • Any edition may use Duo Restore, even Duo Free.
  • Duo Restore does not require enabling the self-service portal on any application.

When enabling Duo Restore, you'll designate a specific Duo-protected application to use with this feature. Users need to perform primary authentication as required by that designated application, plus Duo authentication using any other factor available to them, such as phone call approval, a hard token or SMS passcode, an administrator-issued bypass code, etc. As such, we don't recommend selecting an application to use with Duo Restore that also has an authentication methods policy applied which restricts use of factors other than Duo Push, as this prevents user recovery of accounts using Duo Restore to a new device unless your users typically have a second device already activated for Duo Push.

To enable Duo Restore:

  1. Select a web-based application you're already protecting with Duo from the drop-down list.
  2. Provide the URL of the application chosen in step 1 in the space provided.
  3. Scroll down to the bottom of the Settings page and click the Save Changes button.

Duo Mobile App Restore

After enabling Duo Restore your end users can avail themselves of the the Duo Mobile app's account recovery options after installation on a new device.

To learn more about Duo Restore, including the experience for end users, see the guide to Duo Mobile account recovery.

Please note that Duo's app account backup and restore will not restore any third-party service accounts (where users scanned a barcode to enable 2FA on an external service like Facebook or Twitter) to a replacement device. After completing Duo Restore on a new device, a user needs to manually reactivate the Duo app for any third-party services. Note that an iOS user who backs up their device to iCloud can restore both Duo and third-party accounts to the same device. This is not possible for Android devices.


By default Duo authentication, telephony, and administrator action log entries are retained indefinitely. The "Logging" settings allow you to specify a retention period by selecting the Delete logs after _ days option and entering the maximum number of days to retain the log entries. When this option is set to delete, log entries older than the given number of days are purged.

Logging Options

Help Desk

Customize the help message shown to your users in the Duo browser prompt with the "Message" setting. Use this field to provide instructions to your users, such as directing them to call or email your organization's support group, or to show the URL of your service desk or device management portal (which they can copy and paste into a new browser tab).

Enter text up to 200 characters; HTML formatting or hyperlinks are not allowed.

Help Desk Settings

The text you specify here displays when a user clicks the "Need help?" link on the left side of the Duo prompt.

Custom Help Text in Duo Prompt

A bypass code is a passcode created as a backup authentication factor when a user's enrolled devices aren't available. Duo admins with the Owner, Administrator, User Manager, or Help Desk roles may create bypass codes for end users. You may optionally restrict your Help Desk admins' ability to customize bypass codes with the Do not allow Help Desk admins to customize bypass codes setting. Enabling this hides all customization options from the Help Desk, and any bypass codes they create are valid for the number of minutes you specify here.

Prevent your Help Desk from issuing bypass codes entirely with the Do not allow Help Desk admins to create bypass codes option.

Admin Password Policy

The "Admin Password Policy" settings define the length and strength requirements for Duo administrative user passwords. The default setting requires administrator passwords to be eight or more characters long. To change the minimum password length, enter the desired number of characters in the Minimum length box. To enforce password complexity, next to the Require at least one option select any combination of uppercase letter, lowercase letter, number, or special character.

Admin Password Policy Setting

FIPS 140-2

Passcodes generated by any recent version of Duo Mobile app on iOS 6 and later or by the Duo Mobile app for Windows Phone 8.1/10 version 2.0 are FIPS 140-2 Level 1 compliant by default, as are hardware tokens purchased from Duo.

Customers who need FIPS 140-2 passcodes on Android devices can enforce this through the "FIPS 140-2" setting. If you do not see this option please contact Duo support to have this setting enabled for your account.

When enabled, Android devices with Duo Mobile version 3.12 and later generate FIPS 140-2 Level 1 passcodes. Users may not authenticate with passcodes generated by earlier versions of Duo Mobile on Android.

Duo Push and phone call verification are unaffected by this setting, and Android devices with any version of Duo Mobile may approve Push and Phone authentication requests.

When deploying Duo two-factor authentication in a FIPS environment, use the Authentication Methods policy to permit use of only the authentication factors that meet organizational compliance requirements.

Labs Features

Duo's Labs Features are stable features that may be enabled on an opt-in basis by Duo MFA plan customers. Duo Security may modify, remove, or change the price of these features in the future. Please see the Labs Features FAQ for more information.

Labs Features are distinguished from normal features in the Duo Admin Panel with a special logo and watermark. The features are greyed out until they are enabled on the Labs Features settings page.

Labs Features

To enable or disable Labs Features, click Settings in the left sidebar, then click Labs Features. For each new capability you'd like to try, select Enable and click the Save Changes button. Alternatively, you can click the Learn more and enable link next to a specific Labs Feature from the Settings page.

Enable or Disable Labs Features

Enrollment Email

The "Enrollment Email" setting lets you customize the message sent to users imported from into Duo via AD or Azure when the synced directory has the "Send enrollment email to synced users" option enabled. You can choose to include your company logo(#)

Enrollment email settings


Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free